Monthly Archives: April 2018

OpenID Connect (OIDC) 1.0

Identity layer on top of OAuth 2.0

It allows Relying Party (RP) to verify the identity of the End-User based on the authentication performed by an OAuth 2.0 Authorization Server (OP), as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner

Uses REST/JSON message flows

(Identity, Authentication) + OAuth 2.0 = OpenID Connect

OpenID Connect is the third generation of OpenID technology (after OpenID and OpenID 2.0)

Privacy

OpenID Connect identifies a set of personal attributes that can be exchanged between Identity Providers and the apps that use them, and includes an approval step so that users can consent (or deny) the sharing of this information.

Terminology

Authentication: Process used to achieve sufficient confidence in the binding between the Entity and the presented Identity

Authentication Request: OAuth 2.0 Authorization Request using extension parameters and scopes defined by OpenID Connect to request that the End-User be authenticated by the Authorization Server, which is an OpenID Connect Provider, to the Client, which is an OpenID Connect Relying Party

Authentication Context: Information that the Relying Party can require before it makes an entitlement decision with respect to an authentication response. Such context can include, but is not limited to, the actual authentication method used or level of assurance such as entity authentication assurance level

Authentication Context Class: Set of authentication methods or procedures that are considered to be equivalent to each other in a particular context

Credential: Data presented as evidence of the right to use an identity or other resources

End-User: Human participant

Entity: Something that has a separate and distinct existence and that can be identified in a context. An End-User is one example of an Entity

Essential Claim: Claim specified by the Client as being necessary to ensure a smooth authorization experience for the specific task requested by the End-User

Hybrid Flow: OAuth 2.0 flow in which an Authorization Code is returned from the Authorization Endpoint, some tokens are returned from the Authorization Endpoint, and others are returned from the Token Endpoint

ID Token: JSON Web Token (JWT) that contains Claims about the Authentication event. It MAY contain other Claims

Identifier: Value that uniquely characterizes an Entity in a specific context

Identity: Set of attributes related to an Entity

Implicit Flow: OAuth 2.0 flow in which all tokens are returned from the Authorization Endpoint and neither the Token Endpoint nor an Authorization Code are used

Issuer: Entity that issues a set of Claims.

Issuer Identifier: Verifiable Identifier for an Issuer. An Issuer Identifier is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components

Message: Request or a response between an OpenID Relying Party and an OpenID Provider

OpenID Provider (OP): OAuth 2.0 Authorization Server that is capable of Authenticating the End-User and providing Claims to a Relying Party about the Authentication event and the End-User

Request Object: JWT that contains a set of request parameters as its Claims

Request URI: URL that references a resource containing a Request Object. The Request URI contents MUST be retrievable by the Authorization Server

Pairwise Pseudonymous Identifier (PPID): Identifier that identifies the Entity to a Relying Party that cannot be correlated with the Entity’s PPID at another Relying Party

Personally Identifiable Information (PII): Information that (a) can be used to identify the natural person to whom such information relates, or (b) is or might be directly or indirectly linked to a natural person to whom such information relates

Subject Identifier: Locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client

UserInfo Endpoint: Protected Resource that, when presented with an Access Token by the Client, returns authorized information about the End-User represented by the corresponding Authorization Grant. The UserInfo Endpoint URL MUST use the https scheme and MAY contain port, path, and query parameter components.ValidationProcess intended to establish the soundness or correctness of a construct

Verification: Process intended to test or prove the truth or accuracy of a fact or value

Voluntary Claim: Claim specified by the Client as being useful but not Essential for the specific task requested by the End-User.

Extra

To verify google access token

https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=

Google Client libraries – to take care of many of the implementation details of authenticating users and gaining access to Google APIs. Authenticating users properly is important to their and your safety and security, and using well-debugged code written by others is generally a best practice – https://developers.google.com/identity/protocols/OpenIDConnect#libraries